TOP STORY

Network security: Awareness, attention to basics
is a good start

LIKE THE
HOMEOWNER who believes he is living in a low-crime
area and thus leaves his doors unlocked, industries
that are the most vulnerable to computer network
attacks often are the ones that

Dennis Moran was
investigated in the Internet denial-of-service
attacks that crippled several popular U.S. Web
sites earlier this
year.

believe
they are unlikely targets. And the restaurant
industry, which has been relatively slow to adopt
wide-scale computerization and networking, is a prime
example.

"One of my problems here has been raising the level
of security awareness," said Corey Eubanks, who, at
the time he made that remark, was senior security
engineer with Chick-fil-A in Atlanta. Eubanks left the
foodservice company to join a security firm.

"Just because we merely sell chicken doesn't mean
we're immune to attacks," Eubanks continued. "In the
restaurant industry there's this general sentiment
that says, 'What do we have to fear? Why would someone
attack McDonald's or KFC or Chick-fil-A? What
intellectual property do we have that anyone would
want?' "

As Eubanks knows better than most, the answer is
"Plenty."

Along with the same types of sensitive payroll and
financial data stored by any large national or
multinational corporation, major foodservice players
have the brand name awareness and publicity-generating
potential prized by hackers. Hacking into a McDonald's
site might be considered more prestigious within some
hacker circles than maneuvering into an Allied-Signal
or Boeing site, security insiders contend.

Operator indifference to network security is in
keeping with "the nature of our business," Eubanks
said. "If we were a bank, it would be a different
story."

Eubanks comes by his professional nervousness
honestly, having previously served as an analyst for
the U.S. government's National Security Agency. "Since
I'm a paranoid NSA-type person, I argue that the more
security protection you have, the better off you'll be
in the end."

Although security has been a top IT concern for
decades, the Internet, with its attractive business
opportunities, has

SECURITY TIPS

Experts
from both the Information technology and
consulting communities agree that when it comes
to securing a computer network, it is best to
start with the basics. Among their hints:

Secure against viruses by using at least two
different anti-virus applications. Update
definitions regularly.

Be fanatical about backups and keep one
current set of backups at least 20 miles away
from your main building.

Limit dial-up access by employee, what can
be done remotely and by time of day.

Issue swipecards with employee pictures.

Have systems go to blank screen after two
minutes of inactivity and then require logging
in.

Train employees on security protocols,
including low-tech issues such as locking doors
and not discussing confidential company data on
the phone.

pushed
the issue to the forefront for many companies. One of
the most attractive characteristics of the Internet,
its interactivity, requires users to do some very
nonsecure things.

To cut payroll costs, some restaurants are forming
password-protected intranets to computerize the
reporting of hours and automate direct deposits to
bank accounts. To achieve those efficiencies, those
foodservice companies are permitting external systems
to connect — though usually indirectly — with one of
their most sensitive databases: payroll.

Other foodservice chains are salivating over the
potential savings represented by extranets, where
suppliers and buyers can exchange business data to
reduce paperwork automatically, accelerate order
processing and slash inventory. Such systems require
companies to open internal records — with change
privileges — to nonemployees.

And many, if not most, foodservice companies have,
or are, preparing public Web sites to build brand
awareness, market logo products and, in some cases,
take reservations. Such ventures not only permit
interaction along the network but also encourage it.
If online reservations capabilities are part of the
package, then masses of Web-surfing restaurant users
have even greater access to corporate crown jewels.

"If a restaurant chain operator is going to expose
their business to the Web, they're exposing their
backside, too," pointed out Ross Greenberg, a New
Kingston, N.Y., security consultant.

Firewalls — hardware and software — are a popular
form of network protection. They permit a user company
to access resources on open networks, such as the
Internet, but protect the user's private network from
intrusion by others. Complications can arise in
firewall strategies, however, when a firewall user
grants access to the private network to outsiders,
such as Internet or extranet users.

"A firewall does a wonderful job of protecting you
from the unknown character coming in," Greenberg said,
"but once you allow access to the legitimate customer,
how does the firewall know who the nonlegitimate
customer is?"

The recent high-profile disruption of popular Web
sites, including Yahoo and Ebay, by so-called
denial-of-service attacks illustrated the challenge
faced by network security professionals. During such
an attack the targeted Web server is rendered useless
by a well-orchestrated and unrelenting bombardment of
requests for information or action launched
simultaneously from a number of different computers.

"How do you stop someone from sending 10 gigabytes
of [data] packets to your site at the same time?"
Eubanks asked rhetorically. Security experts agree
that the answer is, "You can't," but they indicate
that companies using publicly accessible networks can
discourage troublemakers.

"If you want to keep out the 'bad guys,' you need
to inconvenience the 'good guys,'" Greenberg said.

From an IT manager's desk, though, it is not always
easy to distinguish the good guys from the bad guys.
Many people still think of the bad guys as outside
intruders, but security specialists suggest that
damage is more likely to come from employees, either
through inadvertent errors or angry acts of vengeance.

The high employee turnover and young workforce of
the restaurant industry makes the need for protecting
against unhappy employees triply essential.

"How many times have I replaced a POS machine
because someone punched it out?" asked Charles Gray,
chief information officer for Xando Cosi Inc. of New
York City. "Or we'll have someone leave and erase a
bunch of spreadsheets. With the turnover factor, you
don't have stability."

But Gray sees those issues as part of a larger,
much more frightening security trend: overreliance on
younger computer-savvy employees by
technology-frightened senior managers. Gray said he
has seen plenty of wait staffers logging in as their
manager because they can perform computer functions
more efficiently.

Many security problems can be effectively addressed
for very little money by simply adhering to security
basics, Gray maintained. Among the most obvious, he
indicated, are the routine changing of passwords and
requirements that computer users log out before
leaving their desks.

Recently, Gray said, he was walking down the hall
in his corporate headquarters and saw an unattended,
logged-on terminal. He went to the machine, set a
screensaver, assigned it a passcode and walked away.
Eventually, the careless party called the help desk
and was promptly lectured, he said.

Gray also referenced an incident during which he
was discussing a security issue with another
executive. The executive wanted protection for a
particular database. "Why?" Gray asked. "What could
anyone do with that data?"

"They could find out a restaurant's sales
particulars," was the answer. Gray then picked up his
phone and called one of the chain's restaurants.
Without identifying himself, but saying he was a
friend of someone who worked there, he spoke with the
manager, who revealed confidential sales figures.

Observed Gray: The other executive was worried
about locking down Internet access when he should have
been focused on training his people. He indicated that
his colleague had more to fear from corporate spies
working the phone than from hackers working the Web.

However, it is not just the mind-set of IT
outsiders that needs to change when it comes to
network security, Gray opined. "Some of my peers," he
said, "need to stop looking at [security] toys and go
back to the basics like deleting people [from log-on
rolls] after they leave."